Privacy Policy
Payzium Corp (USA) and Payzium Holding Inc. (Canada)
Effective date: 2026-06-21
Last reviewed: 2026-06-21
1. About this Policy
This Privacy Policy explains how the Payzium group of companies collects, uses, discloses, and protects personal information in connection with payzium.com, the application and account-boarding process, the published pricing tools, related communications, and any other website, application, or service that links to this Policy (collectively, the "Services").
Two responsible entities. Payzium operates through two affiliated entities. Which entity is the "controller" (for European Union and United Kingdom purposes), the "business" (for United States purposes), or the "enterprise" in charge of personal information (for Quebec purposes) depends on where you are located:
- Payzium Corp, a Delaware corporation, is responsible for personal information collected from individuals located in the United States, Mexico, the Caribbean, and any jurisdiction that is not Canada, the European Economic Area, the United Kingdom, or Switzerland.
- Payzium Holding Inc. / Gestion Payzium Inc., a corporation incorporated under the laws of Canada, is responsible for personal information collected from individuals located in Canada, the European Economic Area, the United Kingdom, and Switzerland.
References to "Payzium," "we," "us," and "our" in this Policy mean whichever entity above is responsible for your personal information based on your location. The two entities share infrastructure, vendors, and operating standards as described in this Policy.
Audience. Our Services are directed to businesses and the individuals who act on their behalf (owners, operators, accountants, controllers, partners). We do not knowingly direct the Services to consumers in their personal capacity or to children under 18.
2. Information We Collect
2.1 Information you provide directly
When you apply for a Payzium merchant account, contact us, become a partner, or otherwise interact with us, we collect:
- Contact and identity information: name, email address, phone number, business role.
- Business information: legal business name, doing-business-as name, business address, country and region of operation, industry vertical, processing volume range, current processor (where you choose to share it).
- Your current processing statement: copies of statements from your current card processor that you upload, which typically contain processing volumes, transaction counts, fee schedules, effective rates, account identifiers, and similar payment-acceptance data. You provide this so that we can confirm the baseline for the 90-Day Processing-Cost Savings Guarantee and so that your application can be reviewed and underwritten. We do not provide a standalone audit service.
- Boarding documents: where required to board your merchant account and to meet know-your-customer and card-network requirements, identification and verification documents, which may include a government-issued photo identification (front and back), a void cheque or equivalent banking detail, and, where your business is incorporated, your articles of incorporation or equivalent constituting documents.
- Personal-guarantee and identity-verification information (limited). Where the acquirer or processor requires a personal guarantee for underwriting, or where your identity cannot be verified from the photo identification you provide, a Social Insurance Number or date of birth may be required. Where this applies, we collect that information only for that purpose, transmit it only through the encrypted document path to the acquirer or processor, and do not retain it in our submission database.
- Communications: the content of emails, calls, chat messages, voicemails, and other communications you send to us, including any information you choose to include in them.
- Authorization records: a record of your acknowledgement of the authorizations you give us when you apply, including to analyze the statement and documents you submit and to contact you.
2.2 Information we collect automatically
When you use our Services, we automatically collect:
- Device and connection data: IP address, browser type and version, operating system, device type, screen size, language preferences, and the dates and times of your interactions with the Services.
- Usage data: pages viewed, links clicked, scroll depth, form interactions, referring URL, and the landing page on which you first arrived.
- Attribution data: query-string parameters present in URLs you use to reach us, including UTM parameters, Google Click Identifiers, Meta Click Identifiers, and equivalent identifiers from other advertising platforms.
- Local-storage attribution: on first arrival, we write the attribution data above, the landing URL, the HTTP referrer, the user agent string, and a capture timestamp into your browser's localStorage under the key payzium_attribution. This entry is retained for up to 90 days, after which it is treated as expired and re-captured on the next visit. We use first-touch attribution; an existing unexpired entry is not overwritten by a later visit. The entry stays on your device until it expires, you submit a form (in which case the values are sent to us with the submission), or you clear your browser storage.
- Server logs: Vercel records standard request logs (URL requested, status code, IP address, timestamp, response time) for security and operational purposes.
Cookies and similar technologies. Our primary website analytics provider, Plausible, does not use cookies and does not track individuals across sites. We use cookies and equivalent technologies only where necessary to operate the Services (for example, to remember your privacy choices), and where applicable to support paid-advertising measurement when you arrive from a paid campaign. We do not place advertising cookies for retargeting before you have provided the consent required in your jurisdiction. The localStorage attribution entry described above is a similar technology and is governed by the same consent rules where consent is required.
2.3 Information we receive from third parties
-
Phone number validation. When you submit a phone number, we send the number and country code to Twilio, Inc. for validation through its Lookup v2 service. Twilio returns a normalized E.164-formatted number, line type, and carrier name. We retain the validated outputs alongside your submission.
-
Business intelligence enrichment. We may enrich submissions with publicly available business information (for example, NAICS classification, location coordinates, web presence) from data providers and public sources, in order to verify identity and improve service quality.
-
Referral sources. Where you reach our Services through a third-party referral source or where such a source submits information on your authorized behalf, we receive your contact information and any business information that source has provided.
-
Advertising platforms. Where you arrive from a paid campaign, the originating platform may share aggregated or click-level information with us to attribute the lead.
3. Why We Use Personal Information
We use personal information for the following purposes:
- Provide the Services. Review and prepare your application, arrange for an acquirer or processor to underwrite and board your merchant account, confirm the guarantee baseline, and provide and support the Services. Payzium does not itself underwrite or board merchant accounts.
- Communicate with you. Confirm submissions, respond to questions, follow up, send service updates, and administer the guarantees.
- Verify and authenticate. Validate the contact information you provide (including phone validation through Twilio Lookup), confirm authorization, and reduce duplicate or fraudulent submissions.
- Improve our Services. Analyze aggregate usage patterns and conversion behavior in order to improve the website, the pricing tools, and the customer experience.
- Marketing and outreach. Where permitted by applicable law, send you commercial communications about Payzium services that we believe will be relevant to your business. You can opt out at any time.
- Comply with law and protect rights. Comply with applicable legal obligations (tax, accounting, anti-fraud, anti-money-laundering, sanctions screening), respond to lawful requests, and exercise or defend legal claims.
- Operate our partner program. Where you participate as a partner or sub-partner, manage the relationship, calculate compensation, and review performance under the partner agreement.
4. Legal Basis for Processing
Where required by law (in particular, the General Data Protection Regulation in the European Union and the United Kingdom, and the Quebec Act respecting the protection of personal information in the private sector, as amended by Law 25), we rely on one or more of the following legal bases:
- Performance of a contract or steps requested before entering a contract: for example, to review and prepare your application, arrange boarding of your merchant account, or onboard you as a partner.
- Legitimate interests: for example, to operate, secure, and improve our Services, to prevent fraud, to conduct B2B outreach to business contacts in the course of commercial activity, and to maintain records. We have assessed these interests against the rights and freedoms of the individuals concerned.
- Consent: for example, where you submit a statement and documents and authorize their use, where consent is required under Quebec Law 25 for the use or communication of personal information, where required for marketing communications, and where required to read or write information on your device.
- Compliance with legal obligations: for example, to retain records for tax purposes or to respond to lawful regulatory or governmental requests.
- Protection of vital interests or public interest: in narrow circumstances where required by applicable law.
Quebec specifically. Under Quebec Law 25, our collection, use, and communication of your personal information is governed by the principles of necessity, transparency, purpose limitation, and consent (express where required, implied only where the law permits). The Person in Charge of the Protection of Personal Information for Payzium Holding Inc. is named in the Contact section below.
5. How We Share Personal Information
We share personal information only as described below.
5.1 Within the Payzium group
We share personal information between Payzium Corp and Payzium Holding Inc. for shared infrastructure, customer support, partner administration, and consolidated security and accounting functions, under written safeguards that hold the receiving entity to the same standards as the originating entity.
5.2 Service providers (sub-processors)
We share personal information with vendors who process it on our behalf, under written contracts that restrict use to the purposes we direct, require security measures appropriate to the risk, and prohibit independent use of the information. Our current sub-processors are:
| Sub-processor | Function | Categories of personal information | Location of processing |
|---|---|---|---|
| Vercel Inc. | Website hosting, application infrastructure, analytics | Form submissions in transit, IP address, user agent, browser metadata | United States |
| Vercel Inc. (Blob storage) | Storage of uploaded statements and boarding documents | Merchant processing statements and boarding documents (government photo identification, void cheque, articles of incorporation), which may contain business name, processing volumes, fee structures, account identifiers, and identity details. Does not include any Social Insurance Number. | Canada (Montreal) |
| Airtable Inc. | Submission database, partner portal, internal record-keeping | Contact information, business information, application metadata, attribution data. Does not include any Social Insurance Number. | United States |
| Resend Inc. | Transactional email delivery (confirmations, follow-ups) | Email address, name, application reference identifiers | United States |
| Twilio Inc. | Phone number validation via Lookup v2 | Phone number, country code | United States |
| Plausible Insights OU | Privacy-respecting website analytics (no cookies, no cross-site tracking) | Aggregate page-view data, hashed and anonymized session identifiers, country-level geolocation | European Union (Estonia, Germany) |
| Google LLC (Google Analytics 4, Google Ads, when applicable to paid traffic) | Conversion tracking and audience measurement on paid campaigns | IP address, device identifiers, click identifiers, interaction events | United States; transfers governed by EU Standard Contractual Clauses where applicable |
| Anthropic PBC and large language model providers | Automated parsing and analysis of statement and application data for application review and pricing analysis | De-identified statement and application content; we strip business names and account numbers from prompts where technically feasible before model invocation | United States |
This list is current as of the effective date above. We will update it when we add or replace a material sub-processor. Where you have an active business relationship with us and we add a sub-processor that is material to your engagement, we will notify you with reasonable advance notice.
5.3 Referral sources and partners
Where you reach our Services through an authorized referral source or partner, or where such a source submits information on your authorized behalf, we share submission status and high-level outcome information with that source so they can serve you and so we can administer the relationship. Referral sources and partners are contractually prohibited from independently retaining, copying, forwarding, or marketing to your information beyond what is necessary to support the engagement.
5.4 Acquirers and processors
To board your merchant account, we share the information necessary to board and operate the account (for example, your business and contact information, your statement and boarding documents, and your authorization records) with the acquiring bank, payment processor, or independent sales organization that boards and operates the account. The receiving acquirer or processor becomes an independent controller of your information for its own regulatory and business purposes once it accepts the application.
5.5 Professional advisors and corporate transactions
We may share personal information with our auditors, lawyers, accountants, and insurers under duties of confidentiality. If Payzium is involved in a merger, acquisition, financing, reorganization, sale of assets, or insolvency, personal information may be transferred as part of that transaction, subject to confidentiality protections and applicable law.
5.6 Legal and safety
We may share personal information when we believe in good faith that the disclosure is necessary to comply with applicable law or legal process, to enforce our terms, to protect our rights, property, or safety, or the rights, property, or safety of others, or to investigate fraud or security incidents.
No sale of personal information. We do not sell personal information for monetary consideration. The disclosures described in this Policy may, depending on jurisdiction, be considered "sharing" for cross-context behavioral advertising or comparable defined terms in some United States state laws. See Section 11 for the rights available to you, including the right to opt out of any such sharing.
6. International Data Transfers
Payzium operates from the United States and Canada. Statements and boarding documents you upload are stored in Canada (Montreal), which we have confirmed. Other personal information may be processed by sub-processors located in the United States and elsewhere, as described in the table in Section 5.2. As a result, personal information that we collect in Canada, the European Economic Area, the United Kingdom, or Switzerland may be transferred to and processed in jurisdictions whose privacy laws differ from those of your home jurisdiction.
Quebec. Before transferring personal information outside Quebec, we conduct a Privacy Impact Assessment under Quebec Law 25, taking into account the sensitivity of the information, the purpose of the transfer, the protection measures (including contractual, technical, and organizational), and the legal regime applicable in the destination jurisdiction. We enter into written agreements with sub-processors and with the acquirer or processor that boards your account, that include data protection commitments and audit rights. By applying, you acknowledge and consent that your personal information may be communicated outside Quebec and may be communicated outside Canada.
European Economic Area, United Kingdom, Switzerland. Where we transfer personal information from these jurisdictions to the United States or another third country, we rely on the European Commission's Standard Contractual Clauses (and the United Kingdom International Data Transfer Addendum or the Swiss equivalent, where applicable) or another lawful transfer mechanism, supplemented by additional technical, contractual, and organizational measures where appropriate.
You may request a copy of the relevant transfer mechanism by contacting us using the details in Section 13.
7. How Long We Keep Personal Information
We keep personal information only for as long as necessary for the purposes described in this Policy, after which we delete or de-identify it. The actual periods depend on the type of information, the outcome of your application, and the legal, accounting, and operational obligations that apply:
- Application records, statements, and boarding documents, by the outcome of your application:
- Onboarded merchants (you switch to Payzium): retained for the duration of your engagement and for up to seven (7) years after your last interaction, to comply with tax, accounting, anti-money-laundering, and dispute-resolution obligations. Statement and boarding-document files stored in Vercel Blob (Canada) are subject to the same period and are protected by access controls.
- Abandoned or no-decision applications (you start or submit an application but no Payzium decision is made): erased after a defined period of inactivity. A started but not submitted application is erased after thirty (30) days of inactivity; a submitted application on which no decision is made is erased after ninety (90) days of inactivity. Erasure removes the application record and the associated statement and boarding-document files.
- Applications we decline (a Payzium decision is made): we keep a minimal record of the decision for up to one (1) year, after which we destroy or anonymize it. The acquirer or processor keeps its own underwriting file under its own retention rules.
- Contact and CRM records: retained while you remain a customer, prospect, or partner, and for up to thirty-six (36) months after the last interaction unless a longer period is required by law or by an active engagement.
- Communications: retained while necessary to support the relationship and to demonstrate compliance, generally up to seven (7) years.
- Server and security logs: retained for up to twelve (12) months for security, debugging, and abuse-prevention purposes.
- Local-storage attribution entry on your device: expires automatically after 90 days, or sooner if you clear your browser storage.
- Plausible analytics: Plausible does not retain individual-level identifiers; aggregate analytics are retained for as long as needed for product and marketing analysis.
- Marketing data: retained until you unsubscribe or until thirty-six (36) months after the last engagement, whichever is shorter, unless you re-engage.
- Records to evidence consent and rights requests: retained as long as required by applicable law to evidence our compliance.
8. How We Protect Personal Information
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit, access controls based on role and least privilege, infrastructure logging and monitoring, secure software development practices, sub-processor due diligence, and incident-response procedures. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Breach notification. If we learn of a confidentiality incident that creates a risk of serious injury under Quebec Law 25, a personal data breach under the GDPR, a breach of security safeguards under PIPEDA, or a notifiable security incident under any United States state law, we will notify the relevant supervisory authority and affected individuals in accordance with the timelines and content requirements of the applicable law.
9. Automated Processing and AI
We use automated processing, including software powered by large language models, to parse merchant processing statements and application data, classify line items, calculate effective rates, compute benchmarks, and support application review and pricing analysis. A human reviewer at Payzium reviews material outputs before they are acted on or communicated to you.
The decision whether you apply, switch processors, or engage Payzium further always rests with you. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without human involvement.
Quebec specifically. Where Quebec Law 25 applies, you have the right to be informed when a decision concerning you is based exclusively on automated processing, to obtain the principal personal information used to render the decision and the principal factors and parameters that led to it, to have your observations considered, and to request that the decision be reviewed.
Model providers. We send statement and application content to AI model providers (currently Anthropic) only to obtain the analytical output we use to provide the Services. We instruct providers not to retain prompts or completions for training, and we strip business names and account numbers from prompts where technically feasible.
10. Children's Privacy
Our Services are intended for businesses and the individuals who act on their behalf in a professional capacity. We do not knowingly collect personal information from children under the age of 18 (or under the equivalent local age of digital consent). If you believe a child has submitted personal information to us, please contact us using the details in Section 13 and we will delete the information.
11. Your Privacy Rights
Depending on where you are located, you have some or all of the following rights with respect to your personal information. We honor these rights regardless of citizenship where the law applies based on your location:
- Access: you can ask for a copy of the personal information we hold about you and information about how we process it.
- Rectification: you can ask us to correct inaccurate or incomplete personal information.
- Erasure or deletion: you can ask us to delete your personal information, subject to our legitimate retention obligations (for example, tax, accounting, fraud-prevention, and dispute records).
- Restriction of processing: you can ask us to limit the use of your personal information in specified circumstances.
- Portability: you can ask us to provide a structured, commonly-used, machine-readable copy of personal information you provided to us, and where technically feasible, to transmit it to another organization.
- Objection: you can object to processing based on legitimate interests, including direct marketing.
- Withdraw consent: where processing is based on consent, you can withdraw consent at any time without affecting prior lawful processing.
- De-indexing (Quebec): you may request that we de-index personal information in defined circumstances where the dissemination causes serious injury that outweighs the public interest.
- Automated decision-making: you can request information about, and where applicable contest, decisions made solely on automated processing that produce legal or similarly significant effects.
- Lodge a complaint: you may lodge a complaint with your local supervisory authority, listed in the Contact section below.
11.1 Quebec residents
Under the Quebec Act respecting the protection of personal information in the private sector (as amended by Law 25), you have the rights of access, rectification, withdrawal of consent, de-indexing, ceased dissemination, and portability described above. You may also lodge a complaint with the Commission d'acces a l'information du Quebec.
11.2 Other Canadian residents
Under PIPEDA and substantially similar provincial laws (Alberta PIPA, British Columbia PIPA), you have rights of access, correction, withdrawal of consent, and complaint to the Office of the Privacy Commissioner of Canada or your provincial commissioner.
11.3 European Economic Area, United Kingdom, and Switzerland
Under the GDPR, the United Kingdom GDPR, and the Swiss Federal Act on Data Protection, you have the rights of access, rectification, erasure, restriction, portability, and objection described above, plus the right to lodge a complaint with your local supervisory authority.
11.4 California residents
Under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), you have the right to know, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising, the right to limit the use of sensitive personal information, and the right to non-discrimination. We do not sell personal information for monetary consideration. Where we engage in "sharing" as that term is defined under the CPRA, you may opt out using the contact details below or, where presented, the "Do Not Sell or Share My Personal Information" link on our website. We honor Global Privacy Control (GPC) signals.
Categories of personal information collected (CCPA notice at collection): identifiers, customer records, commercial information, internet or other electronic network activity, geolocation information (general), professional or employment-related information, and inferences drawn from the foregoing. Sensitive personal information collected: phone number, government-issued identification provided for boarding, account log-in credentials only if you create an account, and (where included in submitted statements) financial account identifiers. We use sensitive personal information only for the purposes permitted under the CPRA without further consent.
11.5 Other United States residents
If you reside in a state with a comprehensive consumer privacy law (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Kentucky, Rhode Island, and others as applicable), you have rights similar to those above, including access, deletion, correction, portability, and opt-out of targeted advertising and certain sales. To exercise these rights, follow the procedure in Section 12.
12. How to Exercise Your Rights
To exercise any of the rights above, contact us using the details in Section 13. We may need to verify your identity before completing the request, in a manner proportionate to the sensitivity of the information and the risk of harm from unauthorized disclosure.
We will respond within the timeframe required by the applicable law (generally 30 days, extendable in certain cases). There is no fee for most requests. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded, excessive, or repetitive, as permitted by law. If we deny a request in whole or in part, we will explain the reason and inform you of your right to appeal (where applicable) and to lodge a complaint with the relevant supervisory authority.
Authorized agents. You may use an authorized agent to submit a request on your behalf, with appropriate proof of authorization. We may contact you to verify the request directly.
13. How to Contact Us
13.1 Person in Charge of the Protection of Personal Information (Quebec) and Privacy Contact
Maurizio Verrelli, President, has been designated as the Person in Charge of the Protection of Personal Information for Payzium Holding Inc. under Quebec Law 25, and serves as the privacy contact for the Payzium group of companies.
Email: privacy@payzium.com
13.2 Mailing addresses
Payzium Corp (USA). Attention: Privacy. 4498 Main St Ste 4 #5450, Amherst NY 14226.
Payzium Holding Inc. (Canada). Attention: Person in Charge of the Protection of Personal Information. 1200 rue de Maisonneuve W, Montreal QC H3A 0A1.
13.3 Supervisory authorities
If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local supervisory authority. Examples include:
- Quebec: Commission d'acces a l'information du Quebec (cai.gouv.qc.ca).
- Canada (federal): Office of the Privacy Commissioner of Canada (priv.gc.ca).
- European Economic Area: the data protection authority of the country in which you reside, work, or where the alleged infringement took place.
- United Kingdom: Information Commissioner's Office (ico.org.uk).
- California: California Privacy Protection Agency (cppa.ca.gov) and California Attorney General (oag.ca.gov).
14. Changes to This Policy
We may update this Policy from time to time. When we do, we will revise the "Effective date" and "Last reviewed" dates at the top. If the changes are material, we will provide additional notice (for example, by email to active customers, by a banner on the Services, or as required by applicable law) before the changes take effect.
15. Definitions
"Personal information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, as defined under the applicable law in your jurisdiction.
"Sensitive personal information" has the meaning given to it under the applicable law in your jurisdiction, and may include precise geolocation, financial account identifiers, government identifiers, biometric information, health information, account credentials, and the contents of communications.
"Process" means any operation performed on personal information, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure, and destruction.
"Sub-processor" means a third party engaged by Payzium to process personal information on Payzium's behalf and under Payzium's instructions.
"Services" has the meaning given in Section 1.